How to manually detect CVE-2022-21371 in Oracle WebLogic Servers

If you’re constantly thinking about better ways to discover critical vulnerabilities in systems, you are not alone.

As a security researcher, I spend most of my time understanding their root cause and their potential impact on organizations, striving to help other security specialists communicate them effectively.

After I dove into specifics to explain a Local File Inclusion discovered in Oracle WebLogic Server a few months ago, another vulnerability affecting the same Oracle technology piqued my curiosity: CVE-2022-21371.

Let’s break down this vulnerability and find out how you can report it effectively.

What is Oracle WebLogic Server CVE-2022-21371?

The CVE-2022-21371 (CVSSv3 7.5) vulnerability allows a remote attacker to perform directory traversal attacks inside an Oracle WebLogic Server.

Before we jump into more technical details, let’s understand what a WebLogic server is. It is a Java application server for developing, integrating, deploying, and managing large-scale, distributed web applications, network applications, and database applications.

It brings the dynamic capabilities of Java and the security of Java Enterprise standards into the development, integration, deployment, and management of wide-ranging web applications.

How CVE-2022-21371 works

The vulnerability exists because of input validation error when processing dashes in URLs. An attacker can remotely send a specially crafted HTTP request and read deployment descriptors for the web application on the system. This includes application code and data, credentials, and deployment descriptor elements, which make this vulnerability a real threat for the WebLogic Server.

Vulnerable Oracle WebLogic versions

According to NIST, this CVE affects Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

Business impact of CVE-2022-21371

If they get access to vulnerable systems, attackers can read sensitive data from the WebLogic server. For instance, bad actors can access configuration files and go even further to examine the structure and architecture of the entire system.

How to find targets vulnerable to CVE-2022-21371

You can use the Shodan search engine with the filter product: “Oracle WebLogic” to find exposed targets across the internet. With this query, we found 2,398 results at the time of writing.

Another option is to try PublicWWW and search for WebLogic Console to find potentially vulnerable targets. This search engine showed 848 results when we published this guide.

How to manually detect CVE-2022-21371 in ethical hacking engagements

Want to understand how you can manually detect this high-risk CVE?

Start by sending a HTTP GET request to the Oracle WebLogic using one of the vulnerable endpoints inside this particular list:

.//META-INF/MANIFEST.MF
.//WEB-INF/web.xml
.//WEB-INF/portlet.xml
.//WEB-INF/weblogic.xml

curl ‘https://<HOST>‘ –request-target “.//WEB-INF/weblogic.xml”

The –request-target parameter of curl is required because of the ‘.’ in the beginning. The URL is not valid since it does not start with a ‘/’ and, reading up the curl manual, we find out this parameter allows us to try an alternative path.

This HTTP GET request enables a malicious actor to access the content of the weblogic.xml file inside the WebLogic server.

This file includes complete references for the elements in the WebLogic Server, specific for the deployment. For example, the security-role-assignment element declares a mapping between a web application security role and one or more principals in WebLogic Server. The run-as-role-assignment element maps a run-as role name (a sub-element of the servlet element) in web.xml to a valid user name in the system. Cybercriminals can use all this information to launch new attacks and gain access to critical infrastructure.

How to mitigate CVE-2022-21371 in Oracle WebLogic servers

We recommend upgrading vulnerable WebLogic servers to the latest version as soon as possible and make sure to follow the guidelines from the Oracle Critical Patch Update Advisory to ensure systems are safe to use and the attack surface remains under control.

Will we hear about other exploitable vulnerabilities in Oracle WebLogic Servers anytime soon?

Time will tell.

As offensive security specialists, we can focus on helping organizations implement mitigation measures and integrate them into business priorities. This way, they can limit the window of opportunity for malicious actors trying to exploit vulnerabilities like this one and keep the attack surface in check.

Count on us to keep sharing our research in the form of helpful pentesting guides that boost your ethical hacking skills.